Note
CiscoSecure NT refers to the home gateway as the network access server or just the access
server. Make sure that when CiscoSecure NT prompts you to enter information about what it calls
the access server, you enter the corresponding information about the home gateway. CiscoSecure NT
does not communicate with the NAS. Therefore, the only server CiscoSecure NT refers to is the
home gateway.
pagoda# cd /cs/config Modify the file called CSU.cfg to support VPN
accounting records.
Change your working directory to config.
pagoda# vi CSU.cfg DOMAIN config_local_domain = { { "hgw.com", "@", suffix } };
Open a vi editor session to modify the file called CSU.cfg where:
• DOMAIN config_local_domain= means that the accounting records generated are for hgw.com. • hgw.com defines the name of the domain. • @ defines the delimiter.
• suffix defines that the domain name is placed after the username.
:wq! Exit the vi editor session and save the modifications to the
CSU.cfg file.
pagoda# /etc/rc0.d/K80CiscoSecure Shut down the CiscoSecure UNIX server.
pagoda# /etc/rc2.d/S80CiscoSecure Restart the CiscoSecure UNIX server.
Use this display To do this
Install CiscoSecure NT. Before you can successfully install CiscoSecure NT, make sure you meet the following criteria:
• A client can successfully dial in to the NAS. If you have successfully configured the access VPN to work with local AAA, you have met this criterion. • This Windows NT server can ping the NAS. If you
have successfully configured the access VPN to work with local AAA, you have met this criterion. • The NAS is running Cisco IOS Release 11.1 or later
release.
• A compatible browser is installed on the Windows NT server.
• On the Before You Begin screen, check all the corresponding boxes when the requirements are met. • Click Next.
In the Choose Destination Location screen: • Select the folder where Setup will install
CiscoSecure NT. • Click Next.
In the Authentication Database Configuration screen, define the database where CiscoSecure NT authenticates users. You have the option to use either the:
• Local CiscoSecure database or
• Local CiscoSecure database and the Windows NT user database.
In this scenario, only the local CiscoSecure database is queried for user accounts.
• Click CiscoSecure ACS database only. • Click Next.
Step 4—Configuring the CiscoSecure ACS NT Server
In the CiscoSecure ACS Network Access Server Details screen, select the security protocol.
Note Remember that CiscoSecure NT calls the home gateway the network access server.
• Select RADIUS (Cisco) in the security protocol box. • Type ENT_HGW in the Access Server Name box. • Type 172.22.66.25 in the Access Server IP Address
box.
• Type 172.22.66.13 in the Windows NT Server IP Address box.
• Click Next.
In the Advanced Options screen, define the advanced options that will appear in the CiscoSecure NT user interface.
Click the following advanced options: • User level network access restrictions • Group level network access restrictions • Max sessions
• Default time of day/day of week specification • Distributed system settings
• Database replication • Click Next.
In the Active Service Monitoring screen: • Click Enable Log-in Monitoring • Select Script to execute: *Restart All. • Click Next.
In the Network Access Server Configuration screen, click
Next.
Because you have already configured the home gateway, you do not need to use this automated configuration feature.
Note Remember, CiscoSecure NT calls the home gateway the network access server.
The installation is now complete.
In the CiscoSecure ACS Service Initiation screen, you are asked if you want to start CiscoSecure NT service immediately and if you want Setup to launch the CiscoSecure NT Administrator from the installed browser immediately. To do so:
• Click Yes, I want to start CiscoSecure ACS Service
now
• Click Yes, I want Setup to launch the CiscoSecure
ACS Administrator from my browser following installation
• Click Next.
Step 4—Configuring the CiscoSecure ACS NT Server
In the CiscoSecure ACS Welcome screen, click Network
Configuration.
Note The address 127.0.0.1 is a loopback address. If you run the browser from the same system that CiscoSecure NT is installed on, this IP address appears in the HTTP browser field. However, if you want to run the browser on a system that is different than the one on which
CiscoSecure NT has been installed, then the actual IP address of the device appears in the box.
For CiscoSecure NT to authenticate a user, you must strip the domain name from the incoming username, so that the username matches the form that CiscoSecure NT uses in its username/password database.
In the Network Configuration screen:
Click Add Entry below the Distribution Table.
In the Add New Distribution Entry frame of the Network Configuration window, create a distribution entry: • Type @hgw.com in the Character string box. • Select Suffix in the Position box.
• Select Yes in the Strip box.
• Select ENT_HGW in the Forward to: box and click the right arrow to move it to the “Forward To” column. • Click Submit and Restart.
After you click Submit and Restart, a summary of the information you have configured appears.
Click User Setup.
Step 4—Configuring the CiscoSecure ACS NT Server
In the User Setup window, to create a user: • Type jeremy in the User box.
• Click Add/Edit.
In the User Setup screen, add the following supplementary user information:
• Type Jeremy Smith in the Real Name box. • Type Remote User in the Description box. • Select CiscoSecure Database in the Password
Authentication box.
• Type subaru in the Password box. • Type subaru in the Confirm box. • Click Submit.
You have now created a user named Jeremy.
Verifying the Access VPN
This section describes how to verify that the end-to-end connections function as shown in Figure 18:
•
Step 1—Checking the NAS Final Running Configuration
•
Step 2—Checking the Home Gateway Final Running Configuration
•
Step 3—Dialing in to the NAS
•
Step 4—Pinging the Home Gateway
•
Step 5—Displaying Active Call Statistics on the Home Gateway
•
Step 6—Pinging the Client
•
Step 7—Verifying That the Virtual-Access Interface Is Up and That LCP Is Open
•
Step 8—Viewing Active L2F Tunnel Statistics
Figure 18 Access VPN Topology Using Remote AAA